TLS 1.2 & Entrust Certificate - FTP Update 10/29/2018

An Overview:

Medidata is continuing the update to the security protocols known as Transport Layer Security (TLS) and SSL Certificate Authority in our systems. We have completed the updates to all Medidata web services except FTP.

We will be applying the same TLS updated to the FTP servers in HDC and FRA. However, Global Sign will remain the certificate authority for FRA.

What is changing?

All FTP services on FTP04 must be migrated to FTP01 by December 1, 2018.

This is required in order to retire unsupported software and vulnerable TLS protocols. The new FTP01 server only supports TLS 1.2 and no longer supports weak encryption algorithms such as 3DES.

Please contact your PM for migration details.

All updates will be performed during the normal maintenance window: 6pm-10pm CDT.

How does this affect me as a User?

File uploads/downloads via FTP servers in HDC/FRA

What steps have already occurred?

The SSL certificates on FRA FTP services (ftp07, and ftp08) will be renewed with a Global Sign certificate on July 21, 2018. - COMPLETE

The supported TLS protocols on all FTP services in HDC will be restricted to version 1.2 on September 29, 2018 - COMPLETE

Weak cipher suites (smaller than 128 bits) will be disabled in HDC, including 3DES (which is considered to be 112 bits), on September 29, 2018 - COMPLETE

The supported TLS protocols on all FTP services in FRA (ftp07 & ftp08) will be restricted to version 1.2 on October 27, 2018 - COMPLETE

Weak cipher suites (smaller than 128 bits) will be disabled in FRA, including 3ES (which is considered to be 112 bits) on October 27, 2018 - COMPLETE

TESTING

One FTP server has been created to verify compatibility with both TLS 1.2 and Entrust root certificates. Neither test instance contains test data nor is capable of successfully responding to batch commands. Establishing an HTTPS (TLS) connection to the FTP service constitutes a successful test.

FTP HOSTNAME: ftp06.ftp.mdsol.com

Credentials are provided to test FTP connectivity only

Username: cs_verify

Password: 7^7J23a3

Medidata supports FTP/s (FTP over SSL) only

Supports TLS 1.2 protocol only

New Entrust certificate is loaded

FTP clients must support TLS 1.2 and with the Entrust Datacard root store certificate loaded.

FTP clients must support one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA256

The root stores may not be updated for a couple conditions:

The FTP clients are too old or not updated regularly. Entrust is supported by most major browser and FTP software including unsupported versions, so this should not be an issue.

The fix is to update the browser software or update the root store in the integration software. The Entrust certificate chain may be downloaded (see links below).

FAQs:

Q: WHAT IS TLS 1.2?

A: The TLS protocol (aka SSL) is used to terminate secure browser and API integrations to web services. Versions 1.0 and 1.1 or the TLS protocol will no longer be supported by Medidata Clinical Cloud platforms as of June 2018. This affects all web services for Rave, RaveX and iMedidata platforms including FTP over SSL and other add-ons.

TLS version 1.0 is no longer considered secure by industry standards and contains known vulnerabilities such as Beast and TLS Poodle. This protocol is scheduled for deprecation in 2018 by major vendors such as Microsoft, Google, and Salesforce along with security frameworks such as PCI and NIST.

TLS version 1.1 is underutilized since the introduction of version 1.2 given there is little security difference and value between v1.0 and v1.1.

Q: WHAT IS AN ENTRUST CERTIFICATE?

A: SSL certificates are used to secure access to web services using TLS encryption protocols. Medidata is transitioning to Entrust Datacard as its primary certificate authority instead of GoDaddy as part of our certificate renewal. GlobalSign will continue to be our certificate authority for our EU presence.

Browsers, FTP clients, and integration (API) software rely on root stores for initializing secure communication with TLS (SSL). These root stores contain the root certificates of major certificate authorities such as Entrust and GoDaddy. If these root stores are not updated regularly, the client will experience a connection error if the root certificate from Entrust is not loaded. This is normally updated automatically by the software vendors.

Q:Which Medidata systems are affected by the TLS and Certificate updates?

A: The updates affect all systems that leverage web services over HTTPS. This includes browsers, FTP clients, and system integrations with RWS, iMedidata, EDI, etc.

Q: What is considered to be a successful test?

A: We are testing for connectivity only which means we are looking for an established secure connection. A browser will simply show a secure site badge and the authentication page. An FTP client will indicate authenticate successfully.

A file named Test_README has been created within the test folder for download verification; however, this step is not required. Uploads are not allowed.

Q: Can Medidata create a test FTP site with test data in order to complete end-to-end FTP testing?

A: The test FTP instance was created to support minimal testing and cannot be populated with test data. We are not changing the application architecture of any system. The TLS infrastructure is independent of the application systems. Therefore, customers need only test for successful connectivity. There is no risk to the application/data architecture.

Q: Does the customer have to disable older versions of TLS?

A: No, not from the customer’s perspective. They must only be able to support TLS 1.2, and there is no requirement to disable the older versions in their software. We suggest that they do not to maintain compatibility with other older non-Medidata systems.

Q: Can the customers get more detailed information regarding their TLS connections?

A: We cannot provide detailed log information due to the nature of the encrypted sessions and our FTP architecture.